Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15791

XA: Server crashes in lock_release upon closing connection

    XMLWordPrintable

Details

    Description

      Note: the test case is non-deterministic, run with --repeat=N.

      --source include/have_innodb.inc
      CREATE TABLE t1 (col1 INT, col2 INT) ENGINE = InnoDB;
      INSERT INTO t1 VALUES (1,1);
       
      --connect(con1,localhost,root,,test)
      XA BEGIN 'xid';
      INSERT INTO t1 VALUES (1,0);
       
      --connection default
      --send
      DELETE FROM t1;
       
      --connection con1
      --send
      DELETE FROM t1;
       
      --connect(con2,localhost,root,,test)
      SET innodb_lock_wait_timeout= 1;
      --send
      ALTER TABLE t1 ADD UNIQUE KEY uidx(col1);
       
      --connection con1
      --error 0,ER_LOCK_DEADLOCK
      --reap
      --error 0,ER_DUP_ENTRY
      INSERT INTO t1 VALUES (2,2),(2,2);
      --error ER_XAER_RMFAIL
      ALTER TABLE t1 FORCE;
      UPDATE t1 SET col2 = 2;
       
      # Cleanup
      --disconnect con1
      --connection con2
      --error 0,ER_LOCK_WAIT_TIMEOUT,ER_DUP_ENTRY
      --reap
      --disconnect con2
      --connection default
      --error 0,ER_LOCK_DEADLOCK
      --reap
      DROP TABLE t1;
      

      10.0 6aff5fa27ae863670608ae88b134453fe53c3e17

      #3  <signal handler called>
      #4  0x00007fcd2cb9cb55 in lock_release (trx=0x7fcd20832478) at /data/src/10.0/storage/innobase/lock/lock0lock.cc:4803
      #5  0x00007fcd2cba2095 in lock_trx_release_locks (trx=0x7fcd20832478) at /data/src/10.0/storage/innobase/lock/lock0lock.cc:7047
      #6  0x00007fcd2ccb9c9c in trx_commit_in_memory (trx=0x7fcd20832478, lsn=1652367) at /data/src/10.0/storage/innobase/trx/trx0trx.cc:1182
      #7  0x00007fcd2ccba6f0 in trx_commit_low (trx=0x7fcd20832478, mtr=0x7fcd36312660) at /data/src/10.0/storage/innobase/trx/trx0trx.cc:1389
      #8  0x00007fcd2ccba761 in trx_commit (trx=0x7fcd20832478) at /data/src/10.0/storage/innobase/trx/trx0trx.cc:1410
      #9  0x00007fcd2ccaf3a4 in trx_rollback_finish (trx=0x7fcd20832478) at /data/src/10.0/storage/innobase/trx/trx0roll.cc:1339
      #10 0x00007fcd2ccac946 in trx_rollback_to_savepoint_low (trx=0x7fcd20832478, savept=0x0) at /data/src/10.0/storage/innobase/trx/trx0roll.cc:114
      #11 0x00007fcd2ccacc7f in trx_rollback_for_mysql_low (trx=0x7fcd20832478) at /data/src/10.0/storage/innobase/trx/trx0roll.cc:169
      #12 0x00007fcd2ccacfa9 in trx_rollback_for_mysql (trx=0x7fcd20832478) at /data/src/10.0/storage/innobase/trx/trx0roll.cc:200
      #13 0x00007fcd2cb41728 in innobase_rollback (hton=0x7fcd2ed11270, thd=0x7fcd2878a070, rollback_trx=true) at /data/src/10.0/storage/innobase/handler/ha_innodb.cc:4018
      #14 0x000000000083ce93 in ha_rollback_trans (thd=0x7fcd2878a070, all=true) at /data/src/10.0/sql/handler.cc:1644
      #15 0x000000000077cd90 in trans_rollback (thd=0x7fcd2878a070) at /data/src/10.0/sql/transaction.cc:309
      #16 0x0000000000610769 in THD::cleanup (this=0x7fcd2878a070) at /data/src/10.0/sql/sql_class.cc:1536
      #17 0x000000000058f620 in thd_cleanup (thd=0x7fcd2878a070) at /data/src/10.0/sql/mysqld.cc:2633
      #18 0x000000000058f741 in unlink_thd (thd=0x7fcd2878a070) at /data/src/10.0/sql/mysqld.cc:2691
      #19 0x000000000058fb38 in one_thread_per_connection_end (thd=0x7fcd2878a070, put_in_cache=true) at /data/src/10.0/sql/mysqld.cc:2817
      #20 0x0000000000769d94 in do_handle_one_connection (thd_arg=0x7fcd2878a070) at /data/src/10.0/sql/sql_connect.cc:1388
      #21 0x0000000000769a64 in handle_one_connection (arg=0x7fcd2878a070) at /data/src/10.0/sql/sql_connect.cc:1292
      #22 0x0000000000aca5dc in pfs_spawn_thread (arg=0x7fcd2871b970) at /data/src/10.0/storage/perfschema/pfs.cc:1861
      #23 0x00007fcd35fe2494 in start_thread (arg=0x7fcd36313700) at pthread_create.c:333
      #24 0x00007fcd3439b93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      10.0 ASAN c051eaba46

      ==14178==ERROR: AddressSanitizer: heap-use-after-free on address 0x61600005e918 at pc 0x7f35d8c4d828 bp 0x7f35cb63ae60 sp 0x7f35cb63ae58
      READ of size 8 at 0x61600005e918 thread T22
          #0 0x7f35d8c4d827 in lock_release /data/src/10.0/storage/innobase/lock/lock0lock.cc:4803
          #1 0x7f35d8c4d827 in lock_trx_release_locks(trx_t*) /data/src/10.0/storage/innobase/lock/lock0lock.cc:7047
          #2 0x7f35d8ea322e in trx_commit_in_memory /data/src/10.0/storage/innobase/trx/trx0trx.cc:1182
          #3 0x7f35d8ea322e in trx_commit_low(trx_t*, mtr_t*) /data/src/10.0/storage/innobase/trx/trx0trx.cc:1389
          #4 0x7f35d8ea555c in trx_commit(trx_t*) /data/src/10.0/storage/innobase/trx/trx0trx.cc:1410
          #5 0x7f35d8e80bba in trx_rollback_finish /data/src/10.0/storage/innobase/trx/trx0roll.cc:1339
          #6 0x7f35d8e89db2 in trx_rollback_to_savepoint_low /data/src/10.0/storage/innobase/trx/trx0roll.cc:114
          #7 0x7f35d8e8a6f8 in trx_rollback_for_mysql_low /data/src/10.0/storage/innobase/trx/trx0roll.cc:169
          #8 0x7f35d8e8ab47 in trx_rollback_for_mysql(trx_t*) /data/src/10.0/storage/innobase/trx/trx0roll.cc:200
          #9 0x7f35d8b9ab36 in innobase_rollback /data/src/10.0/storage/innobase/handler/ha_innodb.cc:4018
          #10 0xb67976 in ha_rollback_trans(THD*, bool) /data/src/10.0/sql/handler.cc:1642
          #11 0x9a5c56 in trans_rollback(THD*) /data/src/10.0/sql/transaction.cc:309
          #12 0x64802e in THD::cleanup() /data/src/10.0/sql/sql_class.cc:1536
          #13 0x52239a in thd_cleanup(THD*) /data/src/10.0/sql/mysqld.cc:2633
          #14 0x522a03 in unlink_thd(THD*) /data/src/10.0/sql/mysqld.cc:2691
          #15 0x523026 in one_thread_per_connection_end(THD*, bool) /data/src/10.0/sql/mysqld.cc:2817
          #16 0x978ccf in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1388
          #17 0x978e5e in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
          #18 0x11b294a in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
          #19 0x7f35e32f6493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7f35e16af93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x61600005e918 is located 152 bytes inside of 568-byte region [0x61600005e880,0x61600005eab8)
      freed by thread T23 here:
          #0 0x7f35e3560527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x7f35d8c83042 in mem_area_free(void*, mem_pool_t*) /data/src/10.0/storage/innobase/mem/mem0pool.cc:519
          #2 0x7f35d8ecaba8 (/data/bld/10.0-asan/lib/plugin/ha_innodb.so+0x660ba8)
       
      previously allocated by thread T23 here:
          #0 0x7f35e356073f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x7f35d8c82609 in mem_area_alloc(unsigned long*, mem_pool_t*) /data/src/10.0/storage/innobase/mem/mem0pool.cc:381
       
      Thread T22 created by T0 here:
          #0 0x7f35e352fbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x11be1a1 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911
       
      Thread T23 created by T0 here:
          #0 0x7f35e352fbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x11be1a1 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/storage/innobase/lock/lock0lock.cc:4803 lock_release
      Shadow bytes around the buggy address:
        0x0c2c80003cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2c80003ce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2c80003cf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
        0x0c2c80003d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c2c80003d10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c2c80003d20: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2c80003d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2c80003d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2c80003d50: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c2c80003d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c2c80003d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==14178==ABORTING
      

      Attachments

        Issue Links

          Activity

            People

              marko Marko Mäkelä
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.